1. A company must re-evaluate its need for the Amazon EC2 instances it currently has provisioned in an Auto Scaling group. At present, the Auto Scaling group is configured for a minimum of two instances and a maximum of four instances across two Availability Zones. A Solutions architect reviewed Amazon CloudWatch metrics and found that CPU utilization is consistently low for all the EC2 instances. What should the solutions architect recommend to maximize utilization while ensuring the application remains fault tolerant?

A) Create a new launch configuration that uses smaller instance types. Update the existing Auto Scaling group.
B) Modify the Auto Scaling group scaling policy to scale in and out based on a higher CPU utilization metric.
C) Remove some EC2 instances to increase the utilization of remaining instances.
D) Increase the Amazon Elastic Block Store (Amazon EBS) capacity of instances with less CPU utilization.



2. An operations team has a standard that states IAM policies should not be applied directly to users. Some new members have not been following this standard. The operation manager needs a way to easily identify the users with attached policies. What should a solutions architect do to accomplish this?

A) Create an AWS Config rule to run daily.
B) Monitor using AWS CloudTrail.
C) Publish IAM user changes to Amazon SNS.
D) Run AWS Lambda when a user is modified.



3. A company that develops web applications has launched hundreds of Application Load Balancers (ALBs) in multiple Regions. The company wants to create an allow list (or the IPs of all the load balancers on its firewall device. A solutions architect is looking for a one-time, highly available solution to address this request, which will also help reduce the number of IPs that need to be allowed by the firewall.What should the solutions architect recommend to meet these requirements?

A) Create a AWS Lambda function to keep track of the IPs for all the ALBs in different Regions Keep refreshing this list.
B) Set up a Network Load Balancer (NLB) with Elastic IPs. Register the private IPs of all the ALBs as targets to this NLB.
C) Launch AWS Global Accelerator and create endpoints for all the Regions. Register all the ALBs in different Regions to the corresponding endpoints.
D) Set up an Amazon EC2 instance, assign an Elastic IP to this EC2 instance, and configure the instance as a proxy to forward traffic to all the ALBs.



4. A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing. Troubleshooting points to insufficient swap space on the failed instances. The operations team lead needs a solution to monitor this.What should a solutions architect recommend?

A) Enable detailed monitoring in the EC2 console. Create an Amazon CloudWatch Swap Utilization custom metric. Monitor Swap Utilization metrics in CloudWatch.
B) Use EC2 metadata to collect information, then publish it to Amazon CloudWatch custom metrics. Monitor Swap Usage metrics in CloudWatch.
C) Configure an Amazon CloudWatch Swap Usage metric dimension. Monitor the Swap Usage dimension in the EC2 metrics in CloudWatch.
D) Install an Amazon CloudWatch agent on the instances. Run an appropriate script on a set schedule. Monitor Swap Utilization metrics in CloudWatch.



5. A solution architect is performing a security review of a recently migrated workload. The workload is a web application that consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load balancer. The solution architect must improve the security posture and minimize the impact of a DDoS attack on resources. Which solution is MOST effective?

A) Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to capture a potential DDoS attack. Use the identified information to modify a network ACL to block access.
B) Enable Amazon GuardDuty and, configure findings written 10 Amazon CloudWatch. Create an event with Cloud Watch Events for DDoS alerts that triggers Amazon Simple Notification Service (Amazon SNS). Have Amazon SNS invoke a custom AWS lambda function that parses the logs looking for a DDoS attack. Modify a network ACL to block identified source IP addresses
C) Configure an AWS WAF ACL with rate-based rules. Create an Amazon CloudFront distribution that points to the Application Load Balancer. Enable the EAF ACL on the CloudFront distribution.
D) Enable VPC Flow Logs and store then in Amazon S3. Create a custom AWS Lambda functions that parses the logs looking for a DDoS attack. Modify a network ACL to block identified source IP addresses.